
Clay Seal
A control plane that checks and records every action an AI agent takes
Gallery
About Clay Seal
Clay Seal is a runtime security control plane for AI agents that checks and records each action an agent takes at the moment it happens, instead of handing over a broad set of permissions at the start of a session and trusting the agent for the rest. The idea is simple to state. Most systems give an agent an API key or an OAuth scope that grants the same access for the whole run, no matter what the agent does with it, and Clay Seal replaces that with a check on every individual action. If an agent starts doing something it shouldn't, its next action is blocked rather than waved through.
The problem it targets is that static permissions fit regular software but not agents. A key or a scope is fine when a program behaves predictably, but an agent can be steered mid-task into misusing the access it already holds, and by then it has everything it needs to do damage. That gap matters most where actions can't be undone, like sending a payment, deploying code, touching customer data, or changing infrastructure. Clay Seal is built around the assumption that the dangerous moment is the action itself, so that's where it puts the control.
The product breaks into three parts that each work on their own. The first is runtime authority. Before an agent does anything irreversible, it has to present a token that was minted for that exact action, and the token only works once. If the arguments have changed, if it's been used before, if the signer isn't trusted, or if the grant went stale mid-task, the action is rejected. Teams usually start with whichever piece solves their most urgent problem and add the others later, so it doesn't demand an all-or-nothing adoption.
The second part is attested identity. An agent has to prove where it's running before it gets any credentials, and those credentials are short-lived and tied to a key only that agent holds, so a stolen token on its own is useless. Each action is linked back to the program that ran it and the person who owns it, with an identity drawn from the actual runtime rather than a shared secret. In practice a team scopes an agent to something like database reads and specific web access, and the resulting identity carries that scope wherever the agent acts.
The third part is verifiable receipts. Everything an agent does, and everything it's blocked from doing, is saved as a signed record that includes the policy it ran under, and the records are chained so that editing one after the fact is easy to catch. A team can hand that record to an auditor or a customer, who can verify it offline without trusting Clay Seal at all. The company leans on open standards to make that possible, including SPIFFE and SVID for identity, Biscuit tokens, Ed25519 signatures, RFC 6962 Merkle proofs, and MCP, so the receipts stand on their own.
On each action the flow is attest, scope, steer, and seal. The agent proves where it's running and gets an identity, the policy becomes a concrete list of what's allowed, each action is checked as it happens with a bad run stopped, and the outcome is written down for later. It's meant for teams running agents in production against sensitive surfaces, payments and refunds, pull requests and deployments, customer data, internal ops, and cloud resources. Policies are written as files like a refunds rule set, and a command-line tool verifies receipt bundles so anyone can confirm a record independently.
The name is a nod to an old idea. A long time ago, people sealed shipments with a stamp pressed into clay, and if the clay arrived unbroken and the stamp matched, you knew who sent it and that no one had opened it along the way, all without having to trust the courier. Clay Seal does the same thing for the work agents do, recording each action as it happens so anyone can check it afterward. That framing runs right through the design, from the attested identity that proves who acted, to the scoped authority that limits what they can do, to the receipts that leave a trail nobody can quietly alter. The open standards it builds on, from SPIFFE and Biscuit tokens to Merkle proofs and Nitro attestation, are all chosen so a receipt holds up on its own without anyone having to take the company's word for it.
Access is early. Clay Seal is onboarding design partners through a waitlist rather than selling a self-serve plan, and there's no public pricing yet. Applicants describe what their agents touch and hear back from a real person, with the docs open to read in the meantime. For a team that already trusts agents with actions it can't take back, the pitch is worth understanding even at this stage, since the approach of authorizing one action at a time and keeping a checkable record is a real departure from the blanket-permission model most agent stacks ship with today.
Key Features
- Per-action runtime authorization
- Single-use commit tokens
- Attested identity via SPIFFE and SVID
- Short-lived, agent-bound credentials
- Signed, verifiable action receipts
- Offline receipt verification via CLI
Pros & Cons
What we like
- Checks each action instead of a whole session
- Blocks reused or mutated action tokens
- Receipts verify offline without trusting the vendor
- Built on open standards like SPIFFE and Ed25519
Room for improvement
- Early access, currently onboarding design partners
- No public pricing published yet
- Requires technical setup and policy authoring
- Aimed at teams already running production agents
Frequently Asked Questions
What is Clay Seal?
How does Clay Seal work?
Is Clay Seal available yet?
Who is Clay Seal for?
Best For
Featured in
Alternatives to Clay Seal
View all
Dike
A compliance gateway that turns EU AI Act obligations into audit-ready evidence

1Password
Password and secrets manager for individuals, families, and developer teams with strong CLI and SSH agent support.

BackPedal
UK bike theft protection that sends recovery agents after your stolen bike

Capsule
Send files with a short link, no accounts, optional end-to-end encryption, gone in an hour
Reviews (6)
Solid daily driver
Clay Seal has quietly become part of my daily flow. Their take on built on open standards like spiffe and ed25519 is genuinely good. What stands out is how little babysitting it needs. No regrets so far.
Pulled its weight from week one
Three months of Clay Seal later, here is what holds up. The output quality holds up better than I expected.
Solid daily driver
Clay Seal has quietly become part of my daily flow. What stands out is how it handles built on open standards like spiffe and ed25519. It slotted into my routine without much fuss. Mostly using it for scoping what a deployment agent can push to ci. It earns its place in my stack.
Recommended without reservation
Picked Clay Seal for the price, stayed for the quality. Their take on offline receipt verification via cli is genuinely good. Hard to imagine going back to my old setup.
Good, with a few caveats
Tried Clay Seal on a side project first, then rolled it out everywhere. The defaults are sensible, so I was not fighting settings on day one. The catch is requires technical setup and policy authoring. Glad I made the switch.
Solid daily driver
Tried Clay Seal on a side project first, then rolled it out everywhere. Where it really wins is short-lived, agent-bound credentials. Mostly using it for scoping what a deployment agent can push to ci. Glad I made the switch.
Related Tools
Clerk
Drop-in authentication and user management for modern apps

Capsule
Send files with a short link, no accounts, optional end-to-end encryption, gone in an hour

Tailscale
WireGuard-based mesh VPN that connects your devices, servers, and cloud resources into one private network in minutes.

BackPedal
UK bike theft protection that sends recovery agents after your stolen bike